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ABSTRACT 



A method for verifying the authenticity of messages 
exchanged between a pair of correspondents in an electronic 
conducted over a data transmission system where the cor- 
respondents each include respective signing and verifying 
portions of a first signature scheme and a second signature 
scheme different from the first and utilizing an elliptic curve 
cryptosystem. 

8 Claims, 2 Drawing Sheets 
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DATA CARD VERIFICATION SYSTEM 

This invention relates to methods and apparatus for data 
transfer and authentication in an electronic transaction 
system, and more particularly to electronic transaction sys- 
tems utilizing smart cards. 

BACKGROUND OF THE INVENTION 

It has become widely accepted to conduct transactions 
such as financial transactions or exchange of documents 
electronically. Automated teller machines (ATMs) and credit 
cards are widely used for personal transaction and as their 
use expands so too does the need to verify such transactions 
increase. A smart card is somewhat like a credit card and 
includes some processing and storage capability. Smart 
cards are prone to fraudulent misuse, for example by a 
dummy terminal which is used to glean information from an 
unsuspecting user. Thus, before any exchange of critical 
information takes place between either a terminal and a 
smart card or vice versa it is necessary to verify the 
authenticity of the terminal as well as the card. One of these 
verifications may take the form of "signing** an initial 
transaction digitally so that the authenticity of the transac- 
tion can be verified by both parties involved in the subse- 
quent session. The signature is performed according to a 
protocol that utilizes a random message, i.e. the transaction 
and a secret key associated with the party. 

The signature must be performed such that the party's 
secret key cannot be determined. To avoid the complexity of 
distributing secret keys, it is convenient to utilize a public 
key encryption scheme in the generation of the signature. 
Such capabilities are available where the transaction is 
conducted between parties having access to relatively large 
computing resources, but it is equally important to facilitate 
such transactions at an individual level where more limited 
computing resources available, as in the smart card. 

Transaction cards or smart cards are now available with 
limited computing capacity, but these are not sufficient to 
implement existing digital signature protocols in a commer- 
cially viable manner. As noted above, in order to generate a 
verification signature it is necessary to utilize a public key 
inscription scheme. Currently, most public key schemes are 
based on RSA, but the DSS and the demand for a more 
compact system are rapidly changing this. The DSS scheme, 
which is an implementation of a DifiSe-Hellman public key 
protocol, utilizes the set of integers Z p where p is a large 
prime. For adequate security, p must be in the order of 512 
bits, although the resultant signature may be reduced mod q, 
where q divides p-1, and may be in the order of 160 bits. 

An alternative encryption scheme which was one of the 
first fully fledged public key algorithms and which works for 
encryption as well as for digital signatures is known as the 
RSA algorithm. RSA gets it security from the difficulty of 
factoring large numbers. The public and private keys are 
functions of a pair of large (100 to 200 digits or even larger) 
of prime numbers. The public key for RSA encryption is n, 
the product of the two primes p and q where p and q must 
remain secret and e which is relatively prime to (p-l)x(q- 
1). the encryption key d is equal to e" 1 (mod(p-l)x(q-l)). 
Note that d and n are relatively prime. 

To encrypt a message m, first divide into a number of 
numerical blocks such that each block is a unique represen- 
tation modulo n, then the encrypted message block c ( - is 
simply mf (mod n). To decrypt a message take each 
encrypted block c- and compute m^c/ (mod n). 

Another encryption scheme that provides enhanced secu- 
rity at relatively small modulus is that utilizing elliptic 
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curves in the finite field 2 m . A value of m in the order of 155 
provides security comparable to a 512 bit modulus DSS and 
therefore offers significant benefits in implementation. 
DifiSe-Hellman public key encryption utilizes the proper- 

5 ties of discrete logs so that even if a generator |3 and the 
exponentiation (3* is known, the value of k cannot be 
determined. A similar property exist with elliptic curves 
where the addition of two points on any curve produces a 
third point on the curve. Similarly, multiplying a point P on 

io the curve by an integer k produces a further point on the 
curve. For an elliptic curve, the point kP is simply obtained 
by adding k copies of the point P together. 

However, knowing the starting point and the end point 
does not reveal the value of the integer k which may then be 

15 used as a session key for encryption. The value kP, where P 
is an initial known point is therefore equivalent to the 
exponentiation (3*. Furthermore, elliptic curve crypto - 
systems offer advantages over other key crypto-systems 
when bandwidth efficiency, reduced computation and mini- 

20 mized code space are application goals. 

Furthermore, in the context of a smart card and an 
automated teller machine transaction, there are two major 
steps involved in the authentication of both parties. The first 
is the authentication of the terminal by the smart card and the 

25 second is the authentication of the smart card by the termi- 
nal. Generally, this authentication involves the verification 
of a certificate generated by the terminal and received by the 
smart card and the verification of a certificate signed by the 
smart card and verified by the terminal. Once the certificates 

30 have been positively verified the transaction between the 
smart card and the terminal may continue. 

Given the limited processing capability of the smart card, 
verifications and signature processing performed on the 
smart card are generally limited to simple encryption algo- 

35 rithms. A more sophisticated encryption algorithm is gen- 
erally beyond the scope of the processing capabilities con- 
tained within the smart card. Thus, there exist a need for a 
signature verification and generation method which may be 
implemented on a smart card and which is relatively secure. 

40 SUMMARY OF THE INVENTION 

This invention seeks in one aspect to provide a method of 
data verification between a smart card and a terminal. 
In accordance with this aspect there is provided a method 

45 for verifying a pair of participants in an electronic 
transaction, comprising the steps of verifying information 
received by the second participant from the first participant, 
wherein the verification is performed according to a first 
signature algorithm; verifying information received by the 

50 first participant from the second participant, wherein the 
verification is performed according to a second signature 
algorithm; and whereby the transaction is rejected if either 
verification fails. 
The first signature algorithm may be one which is com- 

55 putationally more difficult in signing than verifying, while 
the second signature algorithm is more difficult in verifying 
than signing. In such an embodiment the second participant 
may participate with relatively little computing power, while 
security is maintained at a high level. 

60 In a further embodiment, the first signature algorithm is 
based on an RSA, or DDS type algorithm, and the second 
signature algorithm is based on an elliptic curve algorithm. 

BRIEF DESCRIPTION OF THE DRAWINGS 

65 An embodiment of the invention will now be described by 
way of example on the reference to the accompanying 
drawings, in which, 
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FIG. la is a schematic representations showing a smart Referring back to FIG. 2, the numbers n and e are the 

card and terminal; public keys of the CA and may be set as system parameters. 

FIG. lb is a schematic representations showing the The public key e may be either stored in the smart card or 

sequence of events performed during the verification process in an alternate embodiment hardwired into an logic circuit in 

in a smart card transaction system; and 5 the card, Furthermore, by choosing e to be relatively small, 

FIG. 2 is a detailed schematic representation showing a ensures that the exponentiation may be carried out relatively 

specific protocol. quickly. 

The certificate 20 C, is signed by the CA and has the 

DETAILED DESCRIPTION OF A PREFERRED parameters (n,e). The certificate contains the terminal ID T w . 

EMBODIMENT 10 an d the terminal public key information T„ and T tf which is 

Referring to FIG. 1(a), a terminal 100 is adapted to based on the RSA algorithm. The certificate C 1 is verified 24 

receive a smart card 102, Typically, insertion of the card 102 by the card extracting T /D , T„, T e . This information is simply 

into the terminal initiates a transaction. Mutual authentica- extracted by performing C/ mod n. The card then authen- 

tion between the terminal and the card is then performed as ticates the terminal by generating a random number Rl, 26, 

shown in FIG. lb. In very general terms, this mutual 15 which it transmits to the terminal. The terminal signs the 

authentication is performed according to a "challenge- message Rl using its secret key T d by performing Rl 7 * 

response" protocol. Generally, card transmits information to MODT„ to generate the value C 2 , 28. Once again the key 

the terminal, the terminal 100 signs information with an used by the terminal is an RSA key which has been origi- 

RSA based algorithm 112 and is then sent to the card 102, nally created in such a way that the public key T„ consist of 

which verifies the information with an RSA based algorithm 20 a small possibly system wide parameter having a value 3, 

114. The information exchange 116 between the card and the while the other part of the public key is the modulus T„ 

terminal also includes information generated by the card which would be associated with the terminal. The terminals 

which is sent to the terminal to be signed by the terminal private key T d cannot be small if it corresponds to a small 

with an RSA algorithm and returned to the card to be verified public key T e . In the case of the terminal, it does not matter 

utilizing a RSA algorithm. Once the relevant verification has 25 whether the private key T d is chosen to be large as the 

been performed 118, a further step is performed where terminal has the required computing power to perform the 

information is signed by the card using an elliptic curve exponentiation relative quickly. 

encryption protocol 120 and submitted to the terminal to be Once the terminal has calculated the value C,, 28, it 

verified 124 by the terminal utilizing an elliptic curve based generates a secret random number R2, 29 the terminal sends 

protocol. Similarly, the information exchange 122 between 30 both R2 and C 2 , 32 to the card. The card then performs a 

the card and the terminal may include information generated modular exponentiation 34 on the signed value C 2 with the 

by the terminal which is sent to the card to be signed by the small exponent T^, using the terminal's modulus T„. This is 

card and returned to the terminal for verification. Once the performed by calculating R1'«C/ C mod T„. If Rl' is equal 

appropriate information has been verified 126 the further to Rl, 36 then the card knows that it is dealing with the 

transactions between the terminal and card may proceed 35 terminal whose ID T /D is associated 38 with the modulus T„. 

128. The card generally contains a modulo arithmetic processor 

Referring now to FIG. 2, a detailed implementation of the (not shown) to perform the above operation, 

mutual authentication of the terminal and the card, accord- The secret random number R2 is signed 40 by the card 

ing to the "challenged-response" protocol is shown gener- and returned to the terminal along with a certificate signed 

ally by numeral 200. The terminal 100 is first verified by the 40 b y tne CA which relates the card ID to its public information, 

card 102 and the card is then verified by the terminal. The The signing by the card is performed according to an elliptic 

terminal first sends to the card a certificate C lf 20 containing curve signature algorithm. 

its ID, T /2> , and public information including the public key. The verification of the card proceeds on a similar basis as 

The certificate 20 may be also signed by a certifying the verification of the terminal, however, the signing by the 

authority (CA) so that the card may verify the association of ^ card utilizes an elliptic curve encryption system. 

the terminal ID T fD with the public key received from the Typically for an elliptic curve implementation a signature 

terminal. The keys used by the terminal and the CA in this component s has the form: 

embodiment may both be based on the RSA algorithm. s-ae+k(mod n) 

With the RSA algorithm each member or party has a 

public and a private key, and each key has two parts. The 50 wnere: 

signature has the form: P is a point on the curve which is a predefined parameter 

of the system; 

S=m (mod n) k is a random integer selected as a short term private or 

where: session key, and has a corresponding short term public key 

m is the message to be signed; 55 R=kP; 

n a public key is the modulus and is the product of two a is the long term private key of the sender (card) and has 

primes p and q; a corresponding public key aP-Q; 

e the encryption key chosen at random and which is also e is a secure hash, such as the SHA hash function, of a 

public is a number chosen to be relatively prime to (p-l)x message m (R2 in this case) and short term public key R; and 

(q-1); and 60 n is the order of the curve. 

d the private key which is congruent to e" J (mod(p-l)x For simplicity it will be assumed that the signature 

(q-1)). component s is of the form s=ae+k as discussed above 

For the RSA algorithm, the pair of integers (n,e) are the although it will be understood that other signature protocols 

public key information that is used for signing. While, the may be used. 

pair of integers (d,n) may be used to decrypt a message 65 To verify the signature sP-eQ must be computed and 

which has been encrypted with the public key information compared with R. The card generates R, using for example 

(n,e). a field arithmetic processor (not shown). The card sends to 
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the terminal a message including m, s, and R, indicated in 
block 44 of FIG. 2 and the signature is verified by the 
terminal by computing the value (sP-eQ) 46 which should 
correspond to kP. If the computed values correspond 48 then 
the signature is verified and hence the card is verified and the 
transaction may continue. 

The terminal checks the certificate, then it checks the 
signature of the transaction data which contains R2, thus 
authenticating the card to the terminal. In the present 
embodiment the signature generated by the card is an elliptic 
curve signature, which is easier for the card to generate, but 
requires more computation by the terminal to verify. 

As is seen from the above equation, the calculation of s is 
relatively straightforward and does not require significant 
computing power. However in order to perform the verifi- 
cation it is necessary to compute a number of point multi- 
plications to obtain sP and eQ, each of which is computa- 
tionally complex. Other protocols, such as the MQV 
protocols require similar computations when implemented 
over elliptic curves which may result in slow verification 
when the computing power is limited. However this is 
generally not the case for a terminal. 

Although an embodiment of the invention has been 
described with reference to a specific protocol for the 
verification of the terminal and for the verification of the 
card, other protocols may also be used. 

What is claimed is: 

1. A method of verifying the authenticity of messages 
exchanged between a pair of correspondents in an electronic 
transaction conducted over a data transmission system, said 
correspondents each including respective signing and veri- 
fying portions of a first signature scheme and a second 
signature scheme different to said first scheme and utilizing 
an elliptic curve crypto system said method comprising the 
steps of: 

one of said correspondents signing a message according 
to a signing portion of one of said schemes associated 
with said one correspondent to provide a first signed 
message and transmitting said first signed message to 
another of said correspondents; said other correspon- 
dent utilizing said verifying portion of said one signa- 
ture scheme to verify said first signed message received 
from said one correspondent; 

said other correspondent signing a message by utilizing 
said signing portion of the other of said signature 
schemes to provide a second signed message and 
transmitting a second signed message to said one 
correspondent; 

said one correspondent verifying said second signed mes- 
sage received from said other correspondent by utiliz- 
ing said verification portion of said other of said 
signature schemes, wherein one of said signature and 
one of said verifications is performed according to said 
second signature scheme utilizing an elliptic curve 
cryptosystem; and rejecting said transaction if either 
verification fails. 

2. A method as defined in claim 1, said first signature 
scheme is computationally more difficult in signing than 
verifying, while said second signature scheme is computa- 
tionally more difficult in verifying than signing, thereby 
allowing one of said correspondents to participate with 
relatively little computing power while maintaining security 
of said transaction. 

3. A method as defined in claim 1, wherein said first 
digital signature scheme is an RSA type scheme. 
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4. A method as defined in claim 1, wherein said first 
digital signature scheme is a DSS type scheme. 

5. A method of verifying the authenticity of messages 
exchanged between a pair of correspondents in electronic 
transaction conducted over a data transmission system, said 
correspondents each including respective signing and veri- 
fying portions of a first signature scheme and a second 
signature scheme, different from said first scheme and 
utilizing an elliptic curve crypto system said method com- 
prising the steps of: 

one of said correspondents transmitting to another of said 
correspondents, a first certificate including public key 
and identification information of said first correspon- 
dent; 

said other correspondent verifying said certificate and 
extracting said public key said identification informa- 
tion therefrom; 

said other correspondent generating a first challenge R a 
and transmitting said challenge to said one correspon- 
dent; 

said one correspondent signing said received challenge Rj 
in accordance with said signing portion of one of said 
signature schemes to provide a second certificate C2; 

said one correspondent generating a second challenge and 
transmitting said second challenge along with said 
certificate C2 to said other correspondent; 

said other correspondent verifying said certificate C2 in 
accordance with said verification portion of one of said 
signature schemes; 

said other correspondent signing said second challenge 
R2 in accordance with said signing portion of the other 
of said signature schemes to provide a third certificate 
and transmitting said said third certificate to said one 
correspondent; and 

said one correspondent verifying said third certificate in 
accordance with said verification portion of said other 
of said signature schemes, and rejecting said transac- 
tion if either said signature is not verified. 

6. A smart card for use in an electronic transaction with a 
correspondent, said card comprising: 

a memory including 

a verification algorithm of a first signature scheme to 
implement a verification of a signature performed 
according to a first signature generation algorithm by 
said correspondent; 

a signing algorithm of second signature scheme differ- 
ent to said first signature scheme and utilizing elliptic 
curve cryptography, said algorithm implementing a 
signature according to a second signature generation 
algorithm; 

a program for invoking said algorithms; and 
processor means for running said first verification algo- 
rithm for verifying a first message signed by sad 
correspondent and for running said second signature for 
signing a second message for transmission to said 
correspondent. 

7. A card according to claim 6 wherein said verification 
algorithm verifies an RSA signature. 

8. A card according to claim 6 wherein said verification 
algorithm verifies a DSS signature. 
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